RACFJWT Facility Class profiles are checked when the submitter Userid and JWT Userid are not identical. When the submitter Userid and JWT Userid are identical, the RACFJWT Facility Class profile checks are bypassed, and the process continues to PassTicket authorization.
RACF Class: FACILITY
“Generic” Resource Profile: TERADATA.TTU.RACFWT. *
Submitter Userid
When the Generic Resource Profile is defined, the Discrete Resource Profile is checked next. If the Generic profile is not defined, the PTKTDATA Class is checked.
- RDEFINE FACILITY TERADATA.TTU.RACFJWT UACC(READ)
“Discrete” Resource Profile: TERADATA.TTU.RACFJWT. <JWTUSER>
JWT Userid
For Identity Token (JWT) generation, the Discrete Resource Profile is checked for JWT Userid Authorization. At this point, if the Discrete Profile is non-existent or the JWT Userid is not authorized, a JWT failure occurs.
- RDEFINE FACILITY TERADATA.TTU.RACFJWT. <JWT Userid> UACC(NONE)
- PERMIT TERADATA.TTU.RACFJWT.<JWT Userid> CLASS(FACILITY) – ID(<Group>|<User>) ACC(READ)
RACF Class: PTKTDATA
“Generic” Resource Profile: IRRPTAUTH.RACFJWT. *
JWT Userid
Grant permission to any JWT Userid to generate a “one-time” PassTIcket in lieu of a password that will be used for z/OS logons.
- RDEFINE PTKTDATA IRRPTAUTH.RACFJWT.* UACC(NONE)
- PERMIT IRRPTAUTH.RACFJWT.* CLASS(PTKTDATA) ID(<Group>|<User>) ACC(UPDATE)